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Introduction 


Lack  of  security  and  privacy  are  two  very 
common  problems  facing  those  involved  with 
computers  today.  Many  people  in  the  computer 
business  are  simply  not  aware  of  or  are 
apathetic  to  ADP  (automated  data  processing) 
security  and  privacy  matters. 

Loss  of  security  and  privacy  is,  however,  a 
very  real  threat  in  today's  highly  automated 
world.  Without  strict  security  and  privacy 
regulations,  data  could  be  lost,  stolen,  or 
manipulated.  Since  much  modern  data  are 
beginning  to  be  stored  in  ADP  systems,  misuse, 
mismanagement,  or  just  plain  carelessness  could 
result  in  major  problems  for  a  great  number  of 
people. 

Some  security  can  be  built  into  ADP  hardware 
and  software  during  the  developmental  phase, 
but,  at  the  present  time,  no  system  is 
completely  secure.  It  is  the  responsibility  of 
computer  users/custodians  to  maintain  a  high,,.* 
level  of  security  and  privacy  for  all  computer 
files. 
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Because  of  the  obvious  lack  of  awareness 
concerning  security  and  privacy,  the  following 
questions  need  to  be  answered: 

1.  What  do  the  terms  "security"  and 
"privacy"  mean  when  used  in  connection 
with  ADP  hardware  and  software? 

2.  What  happens  when  there  is  a  lack  of 
security?  of  privacy? 

What  are  some  of  the  causes  of  this  lack 
of  security  and  privacy? 

4.  Who  has  the  ultimate  responsibility  for 
maintaining  security  and  determining 
privacy  requirements? 

5.  What  are  some  of  the  possible  solutions 
for  these  problems? 
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Security— What  Is  It? 

According  to  Webster  securitv  is  a  state  of 
being  or  reeling  secure:  freedom  from  tear 
anxiety.  danger.  doubt,  etc.  it  is  also  a  state*  or 
sense*  ot  safety  or  certamtv. 

How  Does  Security  Relate  to  ADP  Systems? 

in  order  to  have  a  secure  ADP  system  only 
those*  with  a  'need-to-know  should  have  access 
t<>  data,  sec  urity  also  means  that  data  in  ADP 
systems  should  he*  corre*ct  and  their  integrity 
intact,  in  other  words  security  reiers  to  the 
protection  ot  resources  trom  damage  and  tire* 
protection  ot  data  against  accidental  or 
intentional  disclosure*  or  unauthorized 
modification  or  destruction. 

What  Are  ADP  Systems? 

Automates!  data  processing  systems  are 
primarily,  but  not  solely,  computers.  An  ADP 
svstem  is  essentially  made*  up  ot  six  elements: 


I  It4'  physic  al  env  ir<  mment 
_  IVopit*  dealing  with  the*  svMem 
communications 
4  Policies  and  proc e*cure‘* 
v  Hardware*  and 
t>.  vat  ware* 

Why  Is  Security  Such  a  Problem? 

secuntv  in  ADP  system*  i*  becoming  a 
probk'm  in  dire*c  t  proportion  to  the*  in«  rraxe*  m 
tile*  number  of  computer  *v*ce*nis  becoming 
available.  One*  major  reason  computers  u«  e* 
se'curitv  problems  is  because*  tne\  are  ‘mated  m 
a  hostile  environme*nt  such  vulnerability  *10111* 
trom  the*  following  ta*  tof* 

♦  .  C  omplevtv 
J.  speed  of  ope*ratioM 
t  \  ast  amounts  ot  data 
4  Inadequate  audit  trails 
m  I  elec  ommunicatums 
n.  Complicated  operating  systems,  and 
lack  ot  understanding  about  security 
a  spec  ts. 
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The  security  aspects  of  ADP  systems  can  be 
defined  as: 

1.  Large  scale  data  bases  containing  sensitive 
information, 

2.  Remote  access  considerations, 

V  Constant  growth  in  numbers  of  users,  and 

4.  Increase  in  numbers  of  personnel  with 
technical  knowledge  required  to  access 
computer  systems. 

Why  Are  Security  Problems  on  the  Rise? 

In  today's  complex  world,  there  js  an 
increased  dependency  upon  computer  systems 
for  critical  and  sensitive  applications. 

Dependency  also  stems  from  a  lack  of  manual 
back-up  systems  and  inadequate  mntingency 
planning. 

Although  there  is  an  increased  dependency 
upon  computers,  there  has  been  apathy  or  a 
lack  of  awareness  concerning  security  because 
ot  work  exigencies.  Then'  is  also  the  matter  of 
limited  resource's  *hat  require  careful 
consideration  ot  pu  rities 

In  other  words  because  ot  the  great  demand 
for  last,  efficient  computer  services,  security  has 


not  been  completely  and  competently 
maintained. 

Are  There  Any  Other  Security  Problems? 


In  addition  to  the  vulnerabilities  produced  as 
a  by-product  of  the  computer  industry  growth, 
there  are  certain  very  real  threats  to  security 
including: 

1.  Natural  hazards 

•  Fire. 

•  Flood. 

•  Severe  storm, 

•  Failure  of  electrical  power  (e  g.,  air 
conditioning), 

•  Communications  failure,  and 

•  System  failure. 

2.  Accidental  errors,  omissions,  or  failures 

•  User  errors. 

•  Operator  errors, 

•  Data  preparation  errors, 

•  Application  program  errors, 

•  Output  errors 

•  System  errors. 

•  Communication  errors,  anti 

•  Inadvertent  release  of  sensitive 
information. 


;  !  Viihcrale  aits  <>t  computer  iihuM' 

•  I  rami 

•  l  mbr//len .ml 

•  Iheti 

•  Malic khjs  damage 

•  l  nauth-  >n/ed  use  oi  facilities 

•  sabotage 

•  tspmnagr  and 

•  c  i >nir,u  t< )t  abuse. 


What  Can  Be  Done  About  Such  Threats? 

!t  would  be  difficult  it  not  impossible.  to 
pievent  natural  hazards.  However,  accidental 
errorv  omissions.  or  failures,  and  deliberate 
«  <  minuter  abuse's  are  problems  that  can  be  ki'pt 
to  a  minimum  with  proper  maintenance  and 
surveillance  Although  security  should  be  built 
mIo  a  s>  stent  no  system  can  he  really  secure 
unless  the  ust»r  makes  it  secure*,  lo  put  this 
, i r i *  'trier  was  matter  how  many  security 

gadgets  are  coed  a  so<  ure  system  ts  no  better 
than  tlie  person  using  it  Set  uritv  must  lie  a 
personal  matter  with  everv  computer  operator 
and  user  m  order  !<»  have  a  signitM  ant  impact 


Who  Is  Actually  Responsible  for  Security? 

It  is  the  responsibility  of  the  system  designers 
and  manufacturers  to  build  security  into  an  ADI1 
system.  Users  have  the  responsibility  to  maintain 
a  careful  watch  on  their  security  practices. 
Management  is  also  responsible  since  they 
should  set  up  security  requirements  and 
regulations  tor  their  employees.  In  addition,  the 
vendors  and  users  should  work  together  to 
detc'rmim*  w  ho  is  responsible  for  what 
computer  security  function. 

It  should  he  kept  in  mind,  though  that  when 
a  security  system  is  being  set  up.  requirements 
and  regulations  should  be  easily  understood  and 
workable  Too  much  restriction  and  too  much 
regulation  are  as  bad  as  too  little  of  either  one 
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Those  damned  oil  companies!  This  is  the  third  blackout  this  week 


What  Roles  Do  Management  and  Users 
Play  in  Security  Problems? 


In  most  cases,  management  plays  a  key  role 
in  the  problems  associated  with  security.  In 
general,  most  managers  are  mission-oriented. 
They  are  more  concerned  with  the  ultimate 
product  than  with  the  production  process. 
Management  has  recently  become  more  aware 
of  the  critical  problems  associated  with 
computer  security  and  they  are  taking  strong 
measures  to  resolve  those  problems. 

Individual  users  also  have  problems  with 
security.  There  seems  to  be  a  lack  of  concern 
with  regard  to  system  security.  The  user  has  a 
tendency  to  view  a  computer  as  just  another 
inanimate  object,  and  yet,  this  inanimate  object 
still  presents  a  challenge  to  him.  In  most  cases, 
a  user  will  not  consider  computer  abuse  (on  a 
small  scale)  a  crime.  Computer  system  users  can 
also  be  lax  about  reporting  known  security 
violations  because  they  don  t  realize  that  it  can 
jeopardize  their  own  security. 


There  is  also  another  problem  regarding  user 
security.  Many  computer  users  feel  that  the 
classification  of  data  is  the  responsibility  of 
those  involved  with  computer  operation  rather 
than  that  of  computer  users.  In  fact, 
classification  rests  in  the  hands  of  subject  matter 
specialists,  not  computer  operations  people. 

Today's  computer  world  is  marked  by  rapid 
growth  and  extension  of  applications,  continued 
growth  in  the  numbers  of  systems  (especially 
mini-  and  micro-computers),  and  large  increases 
in  the  numbers  of  people  involved  in  data 
processing.  I n  such  an  environment. 
management's  lack  of  involvement  and  users' 
apathy  serve  only  to  compound  the  ADP 
security  problem. 
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Privacy— What  Is  It? 

Webster  defines  privacy  as  the  quality  or 
condition  i »t  being  private;  withdrawal  from 
public  view  or  company;  seclusion:  secrecy.  It 
i  an  also  be  one’s  private  or  personal  affairs. 

How  Does  Privacy  Relate  to  ADP 
Systems? 

last  »>f  a'!  one  nuist  realize  the  amount  ot 
sensitise  persona!  data  that  is  stored  in  today's 
computers  A  pe?st.ns  entire  history  is  recorded 
uDud.ng  rmanuai  data.  medical  records,  military 
n!es  and  so  ‘orPi  An  ADP  system  becomes  a 
storehouse  »»  . , tillable,  but  ir.  mans  c  ases.  very 
private  mt  ms-ation.  Pnv.u  >  then  refers  to  the 
mihts  oi  :»T !•  oduais  and  organizations  to 
determine  ' < . r  themselves  when  how  and  fo 
\  fuU  extent  information  about  them  is  to  be 
transmitted  to  otheis  I’nvacv  is  an  issue  that 
goes  t,\r  beyond  «  orntuiter  i  enters  and  <  an  be 
'bought  o!  as  a  people  problem  since  people, 
m  »t  m.u  hint's,  affet  t  if 


Who  Could  Gain  from  Use  of  Personal 
Data? 


A  person  who  gained  access  to  ciata  hit's 
without  a  need-to-know  could  cause*  manv 
problems.  not  only  for  the  private  citizen  hut  !( 
others  as  well.  He  or  she*  could,  tor  example 

1  Manipulate  data 

2.  Modify  falsity  data 

P  Acquire  proprietary  information  and 
programs 

4.  Alter  stored  programs 
m  Change  master  tiles, 
o.  Au  ess  passwords  algorithms  ut 
Deny  .Kit hon/ed  access. 

In  other  words,  someone1  could  deliberated 
abuse  computer  tiles  to  altect  many  aspects  of 
person  s  life*  sere  h  as  his  c  rt'dil  rating, 
employment  records  even  Ins  community 
standing. 


Has  Anything  Been  Done  to  Prevent  Such 
Acts? 


Congress  passed  the  Privacy  Act  of  1974'' 
whic  h  sets  up  certain  guidelines  regarding 
privacy  and  data  stored  in  computers  and 
manual  files.  In  essence.  Congress  recognized 
that  a  person  does  have  a  right  to  privacy, 
including  privacy  with  regard  to  personal  files. 
However,  there  are  instances  when  such  files 
would  be  made  available  to  authorized  persons 
upon  request. 

What  Are  the  Custodian's  Responsibilities 
Concerning  Privacy? 

fhe  custodian  has  a  responsibility  to 
determine  information  necessary  when  a 
request  has  been  received  for  file  information. 
The  accuracy  standards  should  also  be 
determined,  along  with  identification  of 
protection  requirements,  and  the  establishment 
ot  the  sensitivity  of  requested  information. 


The  custodian  should  also  determine  how  the 
use  of  the  information  requested  could 
adversely  affect  the  particular  individual 
involved.  He  can  do  this  by  considering  the 
following  criteria: 

1.  What  is  adverse^ 

2.  What  data  are  vital? 

V  What  should  be  done  if  vital  information 
is  in  error? 

4.  What  should  be  done  if  vital  information 
is  disputed? 

x  What  should  be  done  if  vital  information 
is  missing? 

6.  How  much  impact  will  an  error  correction 
have  on  a  system? 

A  determination  should  also  be  made  as  to 
the  '  need-to-know 


Summary  of  A  DP  Security/Privacy 
Problems 


What  Can  Be  Done? 


? 
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The  typical  problem  areas  with  regard  to 
computer  security  are  as  follows: 

1.  Insufficient  emphasis  on  computer 
security  (i.e.,  inadequate  security 
planning,  contingency  planning), 

2.  lack  of  vulnerability  threat  risk 
assessment, 

V  lack  ot  management  involvement  in 
computer  security  issues,  and 

4.  Lack  of  protec  tion  against  natural 
disasters. 

Computer  privacy  problems  include: 

1.  Manipulation  of  data  (modification  or 
falsification). 

2.  Acquisition  of  proprietary  information 
without  a  "need-to-know.”  and 
Unauthorized  acquisition  of 

f  )a  ssvv  ords  a  I  gori  t  hms. 


Security  and  privacy  are  two  very  important 
facets  that  a  society,  which  is  fast  becoming 
automated,  has  to  take  into  account.  Although 
many  things  c  ontribute  to  a  lack  or  Joss  of 
security  and  privacy,  the  main  ingredients  in 
any  security  or  privacy  problem  are  the  people 
involved  with  the  systems.  To  most  people, 
security’  and  "privacy”  are  nebulous  terms,  and 
rather  than  learn  all  the  rules  and  regulations 
concerning  them,  they  choose  to  be  apathetic. 
In  order  for  society  to  have  an  effective  and 
efficient  computerized  network,  not  only  the 
systems  themselves,  but  also  all  of  the  people 
involved  with  them,  must  be  geared”  toward 
maintaining  security  and  privacy.  Security'  and 
privacy  measures  cannot  be  looked  upon  as 
unimportant  or  not  pertinent,  but  must  become 
an  integral  part  of  the  computer  environment. 


Hits  booklet  was  prepared  by  the  Computer  Sciences 
Department  to  promote  awareness  of  computer 
security  and  privacv  problems. 

The  (  omputer  Sciences  Department  wishes  to 
at  knowledge  the  excellent  response  and  assistance 
provided  bv  Mr.  J  Bonas.  Graphics  Branch,  and  Mr  W. 
l  (  onforti.  technical  Writing  Branch,  in  planning  this 
publication.  Appreciation  is  also  extended  to  Mr.  I).  W. 

I  itton.  Graphics  Branch,  tor  conceiving  and  preparing 
the*  artwork:  to  Ms.  P  A.  Ellis.  Technical  Writing 
Branch,  tor  coordinating  and  writing  the  booklet:  and 
to  Mr.  J.  I.  Neville.  )r..  Programming  and  Computer 
Operations  Branch,  tor  his  ideas  and  guidance. 

Questions  and  comments  concerning  the  contents  ot 
this  booklet  should  be  directed  to  Mr.  J.  R.  Babiec 
(Code  44  \). 
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